b"Office of Inspector General\n    Audit Report\n\n\n  QUALITY CONTROL REVIEW FOR\n CONTROLS OVER THE ENTERPRISE\n       SERVICES CENTER\n      Department of Transportation\n       Report Number: QC-2012-003\n      Date Issued: November 4, 2011\n\x0c           U.S. Department of\n                                                                Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Quality Control Review of Controls                                     Date:    November 4, 2011\n           Over the Enterprise Services Center\n           Report Number QC-2012-003\n\n  From:                                                                                Reply to\n                                                                                       Attn. of:   JA-20\n           Louis C. King\n           Assistant Inspector General for Financial and\n           Information Technology Audits\n\n    To:    Assistant Secretary for Budget and Programs/Chief Financial Officer\n\n\n           The Department of Transportation's (DOT) Enterprise Services Center (ESC),\n           located at the Federal Aviation Administration\xe2\x80\x99s (FAA) Mike Monroney\n           Aeronautical Center in Oklahoma City, operates under the direction of DOT's\n           Chief Financial Officer, and provides financial management services to DOT and\n           several Federal agencies. 1\n\n           The Office of Management and Budget (OMB) requires ESC, as a management\n           services provider, either to (1) provide ESC's user organizations with independent\n           audit reports on the design and effectiveness of its internal controls, or (2) allow\n           user auditors to perform tests of its controls. 2 To meet OMB's requirement, DOT's\n           Office of Inspector General (OIG) contracted with Clifton Gunderson LLP to\n           perform an examination of ESC's description of its system of controls and the\n           suitability of the design and operating effectiveness of these controls for the period\n           October 1, 2010, to June 30, 2011, and issue an independent service auditor's\n           report. We required the contractor to perform this attestation engagement in\n           accordance with generally accepted Government auditing standards and the\n           American Institute of Certified Public Accountants' Statement on Standards for\n           Attestation Engagements Number 16, Reporting on Controls at a Service\n           Organization.\n\n           1\n             The National Endowment for the Arts, the Institute of Museum and Library Services, the Commodity Futures Trading\n              Commission, Consumer Products Safety Commission, the National Credit Union Administration, and the\n              Government Accountability Office.\n           2\n             OMB Memorandum M-08-24.\n\x0c                                                                                    2\n\n\nClifton Gunderson LLP's examination covered both the Delphi Financial\nManagement System 3 and the Consolidated Automation System for Time and\nLabor Entry (CASTLE) hosted at ESC. CASTLE is used to support DOT\noperations only.\n\nIn its examination, Clifton Gunderson LLP found that in all material respects:\n\n       \xe2\x80\xa2 ESC's description of controls fairly presents ESC's system that was\n         designed and implemented throughout the period October 1, 2010, to June\n         30, 2011.\n\n       \xe2\x80\xa2 The controls were suitably designed to provide reasonable assurance that\n         the controls' objectives would be achieved if the controls operated\n         effectively throughout the period October 1, 2010, to June 30, 2011, and\n         user entities applied the complementary user controls contemplated in the\n         design of ESC's controls throughout the period October 1, 2010, to June 30,\n         2011.\n\n       \xe2\x80\xa2 The controls tested, together with the complementary user entities' controls,\n         if operating effectively, were those necessary to provide reasonable\n         assurance that the control objectives were achieved, operated effectively\n         throughout the period October 1, 2010, to June 30, 2011.\n\nWe performed a quality control review (QCR) of Clifton Gunderson LLP's report\nand related documentation. Our QCR, as differentiated from an attestation\nengagement performed in accordance with generally accepted Government\nauditing standards, was not intended for us to express, and we do not express, an\nopinion on ESC's description of controls, the suitability of the design of these\ncontrols and the operating effectiveness of the controls tested. Clifton Gunderson\nLLP is responsible for its independent service auditor's report dated August 1,\n2011, and the conclusions expressed in that report. However, our QCR disclosed\nno instances where Clifton Gunderson LLP did not comply, in all material\nrespects, with generally accepted Government auditing standards.\n\nClifton Gunderson performed additional testing and provided a follow-up letter to\nOIG dated September 30, 2011, reporting no significant changes to ESC\xe2\x80\x99s control\nenvironment since June 30, 2011 (the effective date of their SSAE 16 report).\n\nAs part of this attestation engagement, Clifton Gunderson LLP made\nrecommendations to improve ESC's operations. These recommendations are in this\nreport\xe2\x80\x99s Exhibit.\n\n\n3\n    The Delphi system includes ESC PRISM, a Federal acquisition system.\n\x0c                                                                               3\n\n\nActions Required on Clifton Gunderson's Recommendations\n\nIn his response to OIG dated October 20, 2011, the Deputy Chief Financial Officer\nconcurred with the recommendations and committed to the completion of\ncorrective actions (see Appendix in this report). In accordance with DOT Order\n8000.1C, the recommendations will remain open pending receipt of documentary\nevidence that these appropriate corrective actions are complete.\n\nWe appreciate the courtesies and cooperation of Department of Transportation\nrepresentatives during this engagement. If you have any questions concerning this\nreport, please call me at (202) 366-1407, or Nathan Custer, Program Director, at\n(202) 366-5540.\n\nAttachments\n\n                                       #\n\ncc: Chief Information Officer, DOT\n    Deputy Chief Financial Officer, DOT\n    Assistant Administrator for Financial Services/CFO, FAA\n    Assistant Administrator for Information Services/CIO, FAA\n    Assistant Administrator for Region/Center Operations, FAA\n    Director, Mike Monroney Aeronautical Center, FAA\n    Martin Gertel, M-1\n    Anthony Williams, AAE-001\n\x0c                                                                                4\n\n\nEXHIBIT. RECOMMENDATIONS OF CLIFTON GUNDERSON, LLP,\nINDEPENDENT AUDITOR\n\nClifton Gunderson LLP made the following recommendations during its review of\ngeneral, application, and operational controls over DOT's ESC during fiscal year\n2011. OIG agrees that DOT management should implement the following actions\nto enhance ESC controls.\n\n                          Configuration Management\n      Develop and implement a repeatable System Development Life Cycle\n      process for Delphi in accordance with NIST 800-64 and incorporate\n      information security throughout the life cycle stages. Already in the fourth\n      phase of this cycle (Operation), emphasis should now be placed on a)\n 1    Maintenance: Modification of the existing platform by the addition of\n      hardware and software) and b) Disposal: Orderly termination of the system,\n      safeguarding vital system information, and migrating data processed by the\n      system to a new system, or preserving it in accordance with applicable\n      records management regulations and policies.\n      Complete the implementation of Security Configuration Baselines in\n 2    conformity with the United States Government Configuration Baseline\n      (USGCB) initiative.\n\n\n\n\nExhibit. Recommendations of Clifton Gunderson, LLP, Independent\nAuditor\n\x0c                                                                                                   5\n\n\n\n\n  APPENDIX. AGENCY COMMENTS\n\n\n                Memorandum\nU.S. Department of\nTransportation\nOffice of the Secretary\nOf Transportation\n\n\n  Subject: Management Response to the SSAE-16 Audit                       Date: October 20, 2011\n            of ESC\xe2\x80\x99s Services Information Security Controls\n\n  From:      David J. Rivait\n             Deputy Chief Financial Officer\n\n  To:       Louis C. King\n            Assistant Inspector General for Financial and Information\n            Technology Audits\n\n\n\n  The Department provides diligent oversight as it works to ensure the quality, accuracy, and\n  integrity of the services provided by the Enterprises Services Center (ESC). The Office of\n  Inspector General\xe2\x80\x99s (OIG) annual audit utilizing Statement of Standards for Attestation\n  Engagements \xe2\x80\x93 16 (SSAE-16), by its contractor, Clifton Gunderson, LLP (CG), is integral to\n  these efforts. Once again this year the audit provided insights that enable us to further improve\n  our already strong management and controls over financial systems in an ever-changing cyber\n  security environment.\n\n  CG issued a unqualified opinion for the period October 1, 2010 to June 30, 2011. It found that, in\n  all material respects, the ESC\xe2\x80\x99s description of controls fairly presents the ESC system that was\n  designed and implemented. Further, the controls were suitably designed to provide reasonable\n  assurance that their objectives would be achieved if operated effectively throughout the period.\n\n  The Department concurs with CG\xe2\x80\x99s recommendations and has identified corrective actions.\n  Consistent with past practices, the Office of the Assistant Secretary for Budget and\n  Performance/CFO and ESC worked with the auditors throughout this year\xe2\x80\x99s SSAE-16 audit to\n  identify and schedule corrective actions as audit findings were documented, to ensure timely and\n  appropriate management action. These corrective action plans will be forwarded to you under\n  separate cover prior to October 31, 2011.\n\n  As a Federal Shared Service Provider (FSSP) designated by the Office of Management\n  and Budget (OMB) to provide a state-of-the-art financial system and quality accounting services\n  to other Federal agencies, ESC has demonstrated its strong commitment to ensuring that it\xe2\x80\x99s\n  Financial Management Services meet or exceed all information security requirements.\n\n\n\n\n  Appendix. Agency Comments\n\x0c                                                                                    6\n\n\nThank you for your continuing support and assistance in this effort.\n\n\n\ncc: Maria Dowds, Joann Adam, Robert Owens, Wendy Calvin, Marshal Gimpel,\nMike Upton, Keith Burlison, Bo Peeler, Steve Aube, Janet Shell, and Kent Mitchell\n\n\n\n\nAppendix. Agency Comments\n\x0c"